At Fri, 26 Jun 2009 09:40:48 +0200 (CEST), Hubert Feyrer
<hubert%feyrer.de@localhost> wrote:
Subject: running PFIL_HOOKS on decapsulated IPsec packets, too [was: Re:
reverse processing order: NAT, IPsec ?]
>
> On Thu, 25 Jun 2009, Greg A. Woods wrote:
> > After seeing the ultimately simple fix Hubert posted to re-enable PFIL
> > hooks for IPsec de-encapsulated packets I had a deja vu moment and I
> > think I can say this silliness has caused problems in other contexts as
> > well.
>
> I don't understand - do you mean it's silly to run PFIL hooks on
> de-encapsulated packets?
Sorry about the confusion. No, it's silly not to run PFIL hooks on
de-encapsulated IPsec packets.
The problem though is of course that PFIL users must have some way to
know that whether a packet has been de-encapsulated or not.